Security Information for a Domain

The security information API method contains multiple scores or security features, each of which can be used to determine relevant datapoints to build insight on the reputation or security risk posed by the site. No one security information feature is conclusive, instead these features should be looked at in conjunction with one another as part of your security research.

sample query:

curl -H "Authorization: Bearer %YourToken%" "https://investigate.api.umbrella.com/security/name/example.com"

Parameter for input

Field
Type
Description

name

string

domain name

Returned value for output if Success 200

Field
Type
Description

dga_score

float

Domain Generation Algorithm. This score is generated based on the likeliness of the domain name being generated by an algorithm rather than a human. This algorithm is designed to identify domains which have been created using an automated randomization strategy, which is a common evasion technique in malware kits or botnets. This score ranges from -100 (suspicious) to 0 (benign).

perplexity

float

A second score on the likeliness of the name to be algorithmically generated, on a scale from -100 and 0. This score is to be used in conjunction with DGA.

entropy

float

The number of bits required to encode the domain name, as a score. This score is to be used in conjunction with DGA and Perplexity.

securerank2

float

Suspicious rank for a domain that reviews based on the lookup behavior of client IP for the domain. Securerank is designed to identify hostnames requested by known infected clients but never requested by clean clients, assuming these domains are more likely to be bad. Scores returned range from -100 (suspicious) to 100 (benign).

pagerank

float

Popularity according to Google's pagerank algorithm

asn_score

float

ASN reputation score, ranges from -100 to 0 with -100 being very suspicious.

prefix_score

float

Prefix ranks domains given their IP prefixes (an IP prefix is the first three octets in an IP address) and the reputation score of these prefixes. Ranges from -100 to 0, -100 being very suspicious.

rip_score

float

RIP ranks domains given their IP addresses and the reputation score of these IP addresses. Ranges from -100 to 0, -100 being very suspicious.

fastflux

n/a

NOTE: This property in this endpoint is now deprecated. Please use the ff_candidate feature in the DNS RR History endpoint instead.

popularity

float

The number of unique client IPs visiting this site, relative to the all requests to all sites. A score of how many different client/unique IPs go to this domain compared to others.

geodiversity

array

A score representing the number of queries from clients visiting the domain, broken down by country. Score is a non-normalized ratio between 0 and 1.

geodiversity_normalized

array

A score representing the amount of queries for clients visiting the domain, broken down by country. Score is a normalized ratio between 0 and 1.

tld_geodiversity

array

A score that represents the TLD country code geodiversity as a percentage of clients visiting the domain. Occurs most often with domains that have a ccTLD. Score is normalized ratio between 0 and 1.

geoscore

float

A score that represents how far the different physical locations serving this name are from each other.

ks_test

float

Kolmogorov–Smirnov test on geodiversity. 0 means that the client traffic matches what is expected for this TLD.

attack

string

The name of any known attacks associated with this domain. Returns blank if no known threat associated with domain.

threat_type

string

The type of the known attack, such as botnet or APT. Returns blank if no known threat associated with domain.

found

boolean

Returns true if results available. Returns blank if no known threat associated with domain.

GET https://investigate.api.umbrella.com/security/name/example.com
REQUEST
curl --include \
     --header "Authorization: Bearer %YourToken%" \
https://investigate.api.umbrella.com/security/name/example.com
    
RESPONSE (HTTP 200, Content-Type: application/json)
{
  "dga_score": 38.301771886101335,
  "perplexity": 0.4540313302593146,
  "entropy": 2.5216406363433186,
  "securerank2": -1.3135141095601992,
  "pagerank": 0.0262532,
  "asn_score": -29.75810625887133,
  "prefix_score": -64.9070502788884,
  "rip_score": -75.64720536038982,
  "popularity": 25.335450495507196,
  "fastflux": false,
  "geodiversity": [
    [
      "UA",
      0.24074075
    ],
    [
      "IN",
      0.018518519
    ]
  ],
  "geodiversity_normalized": [
    [
      "AP",
      0.3761535390278368
    ],
    [
      "US",
      0.0005015965168831449
    ]
  ],
  "tld_geodiversity": [],
  "geoscore": 0,
  "ks_test": 0,
  "attack: "",
	"threat_type: "",
  "found": true
}
    

Related Domains for a Domain < Security Information for a Domain > Domain Tagging Dates for a Domain

Security Information for a Domain